Big changes have been happening with External User sharing for SharePoint Online over the past few months now that Azure Active Directory Business to Business (Azure AD B2B) is now generally available. Azure AD B2B allows you to share Office 365 content and line of business applications to users outside your organization. If you are new to Azure AD B2B, watch this great intro on this page: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b

The drawback however is the user onboarding process. Security groups, permissions, user onboarding, administration, the cumbersome 4-6 step user invite process to accept and signup/sign-in to your site, etc. make it difficult to see a good OOTB solution. However, after reading most of the Azure AD B2B articles and working with Microsoft support, I have found an improved (not perfect) process for inviting users and allowing them to sign up for a Microsoft account.

This script will:

Import your users from a CSV file

Add them to an Office 365 security group (that is permissioned to your app or SharePoint Online site)

Send them a custom email message with the invite link that fully supports HTML

The goal of this script is to make it easier on the user so they see a custom email and not a generic Office 365 Azure AD email (after all, the users have no clue what Azure AD is)

Above, the first row is the CSV headers which we will reference in PowerShell during the import. The following rows are the actual users valid email where the invite will be sent (but we will intercept this email, so this will just be used as the users identity so we know how to email them in the future). Long story, but the invited email doesn’t have to match the Personal/Organizational account they sign in as, but for this blog post they will match so we don’t get confused with Authorization vs Authentication.

Administration- Create a Security group and set SharePoint Online permissions

The next step is so you don’t have to go into SharePoint Online sites and add each users’ permissions manually.

Similar to AD groups, create an Office 365 Security Group in the O365 Users > Groups admin center.

Add the AD group to SharePoint and set any read/write permissions this group will have (so maybe your group is called External Users and they are read only to the root site, then another called External Members with contribute permissions, etc.

Once we import the CSV of users, we will have to add the new users to the O365 groups accordingly.

Note that #2 and #2a can be combined to just prompt you once. I had to use two because I have two O365 tenants, one is a demo tenant that does not support email and the other is my personal O365 tenant I send the email from.

YOU WILL NEED TO REPLACE A LOT OF THE HARD-CODED VARIABLES ABOVE IN THE SCRIPT. LOOK CLOSELY.

Watch out for the fancy quotes

Here is an example email I sent myself to test (I put the access ID for my demo tenant and accepted it, so don’t bother typing it out haha)

4 thoughts

Hi Eric,
Just going through your script to use myself, there’s a variable you specify $messageInfo which doesn’t get set. I’m guessing this doesn’t matter because the invitation itself isn’t getting sent anyway, so is the whole part ‘-InvitedUserMessageInfo $messageInfo’ unnecessary?